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Abstract 

In this paper we introduce a quantum information theoretical model 
for quantum secret sharing schemes. We show that quantum information 
theory provides a unifying framework for the study of these schemes. We 
prove that the information theoretical requirements for a class of quantum 
secret sharing schemes reduce to only one requirement (the recoverability 
condition) as a consequence of the no-cloning principle. We give also a 
shorter proof of the fact that the size of the shares in a quantum secret 
sharing scheme must be at least as large as the secret itself. 



1 Introduction 

Quantum secret sharing has been an active area of research in quantum infor- 
mation theory [1] [2] [3] [4] . In a quantum secret sharing protocol, a dealer shares 
an unknown quantum state with a set of players such that authorized subgroups 
of players can recover the quantum state, but unauthorized subgroups cannot 
get any information on it. Quantum secret sharing was first introduced in [2], 
where Hillery et al. proposed a scheme to share a single qubit between two play- 
ers. In [1] Cleve, Gottesman and Lo presented a more general scheme where 
a dealer can share an unknown quantum state with a set of players in a way 
that only groups with more than a given number of players, i, can recover the 
original secret and collusions of players with less than t players have no infor- 
mation about it. Given that the total number of players is n, this is a quantum 
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{t, n)-thrcshold scheme. The construction in [1] was based on riuantum error 
correcting codes. Constructions for general access structures were presented in 
[4] by Gottesman and in [5] by Smith. 

In classical secret sharing, and in classical cryptography in general, informa- 
tion theory has played a major role when designing and evaluating cryptographic 
primitives and protocols [6] [7] [8] [9] . It is a natural question to investigate the 
properties of their quantum mechanical counterparts. In this contribution, we 
introduce a quantum information theoretical model for quantum secret sharing 
schemes. We show that quantum information theory provides a unifying frame- 
work for the study of these schemes. Additionally, wc prove that the information 
theoretical requirements for some quantum secret sharing schemes differ from 
the ones for their classical counterparts. Moreover, we give a shorter proof of 
the fact that the size of the shares in a quantum secret sharing scheme must be 
at least as large as the secret itself. This result was first stated in [4]. 

The paper is organized as follows: in Section 2, we review some important 
concepts of quantum information theory that are used in this paper. Section 
3 introduces our model for quantum secret sharing schemes. We show that 
the recoverability requirement for pure state quantum secret sharing protocols 
implies the secrecy one in Section 4. In Section 5, we present a new and shorter 
proof of the fact that the sizes of the shares of a quantum secret sharing scheme 
are at least as large as the size of the quantum secret being shared. Finally, we 
conclude in Section 6. 

2 Preliminaries 

2.1 Quantum Information Theory 

We briefly review some important concepts of quantum information theory that 
will be used through the paper. For a nice introduction to the subject we suggest 
the references [10] and [11]. We consider finite dimensional quantum systems 
with m degrees of freedom which are modeled by the algebra of m x m matrices 
over the complex numbers, here denoted by Mm- The state of a system X is 
described by its density matrix px G A4m- 

The quantum entropy of a quantum system X with a density matrix px € 
A^TO is defined as in [11] 

5{X) = -Tr{pxlogpx) = - ^jlog^j' 

l<j<m 

where Ai, . . . , Xm are the eigenvalues of px- The quantum entropy can be in- 
terpreted as the average number of qubits necessary to describe a realization of 
the system X [12]. 

Quantum entropies generalize the classical Shannon entropies. For a random 
variable A taking values in an alphabet A = {ai, . . . , o„} one has 



2 



H(A) =-^p(a) logp(a), 

where the random variable A takes the value x with probability p{x). When 
all the quantum states that compose the quantum mixture px are orthogonal, 
S{X) reduces to H(X). 

Conditional entropy is a very important tool used to analyze^ classical sys- 
tems. For two random variables A and B taking values in the alphabets A and 
B respectively, the conditional entropy is defined as: 

H(A|B)= Pi.o-,b)\ogp{a\h). 

In order to analyze quantum secret sharing schemes precisely, it is important to 
generalize classical conditional entropies to the quantum domain. 

Let XY be a bipartite quantum system represented by a density matrix 
PXY living on the Hilbert space TixY = T^x ® 'Hy- The subsystems X and 
Y will be represented by the partial traces px = TtyPxy and py — Tr^pxy- 
The quantum entropy of a quantum system X conditional on another quantum 
system Y can be defined as (see [11]): 

S{X\Y) = SiXY)-S{Y), (1) 

where S{XY) = -Tt{pxy log Pxy) and S{Y) = -Tr(/9y logp^)- 

One can understand the quantum conditional entropy as the ignorance about 
the quantum system X when having full knowledge of Y. 

It is important to stress that it is possible to define different versions of 
quantum conditional probabilities. However, a nice point about the definition 
used here is that several well known properties of classical conditional entropies 
are valid in the new scenario [13] [14] [15] [16]. 

In spite of these similarities in the formulae, quantum conditional entropies 
are qualitatively different from their classical counterparts. For example, quan- 
tum conditional entropies can be negative while classical conditional entropies 
are always non-negative. It means that in quantum systems, sometimes, the 
entropy of the entire quantum system can be smaller than the entropy of one 
of its subsystems. This is the case for the so called entangled systems. Another 
consequence of the negativity of quantum conditional entropies is that proofs 
from classical information theory do not usually straightforwardly apply to the 
quantum scenario, since they often rely on the non-negativity of conditional 
entropies. 

Similarly, a quantum counterpart of the classical mutual information is de- 
fined (see [11]) as follows: 

I{X : Y) = S{X) + S{Y) - S{XY) > 0. 

It should be remarked that the quantum information does not only measure 
quantum correlations between two systems. It includes both quantum and clas- 
sical correlations [13]. 
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The quantum mutual information can be interpreted as the information on 
the quantum state X that is conveyed by Y. Indeed, it is iff the state of XY 
is a product: pxY = px® pv- 

The subadditivity, strong subadditivity and the Araki-Lieb incquahtics of 
quantum entropies will be heavily used when deriving our results. For the 
convenience of the reader we state these results here [11]. 

The subadditivity of quantum entropies tells us that for a composite quan- 
tum system XY , the following inequality holds: 

S{XY) < S(X) + S(F). 
The Araki-Lieb inequality is stated as: 

S(XF) > |S(X) - S(F)| 

where | • | denotes the absolute value. 

Finally, the strong subadditivity states that for any composite quantum 
system XYZ, the following inequality holds: 

S{XYZ) + S{Y) < S{XY) + S{YZ). 

It is easy to show that the following inequality is a consequence of the strong 
subadditivity of quantum entropies: 

I{X : Y) < I{X : Y Z) 
for any tripartite system XY Z. 

2.2 Classical Secret Sheiring Schemes 

As stated in Section 1. a secret sharing scheme is a protocol that enables a 
dealer V to share a secret Si from a set of n possible secrets = {5*1, . . . , S'„} 
with a set of players V so that the members of an authorized group are able 
to recover Si, but no other members can get any information about the secret 
Si. The authorized groups will be defined by an access structure F C 2^, a 
family where each element is an authorized group. More precisely, for a set of 
participants V = {Pi, . . . , Pm} and a dealer 2?, the access structure F C 2'^ is 
a family of subsets of V containing the sets of participants qualified to recover 
the secret. Monotonicity is a natural requirement of an access structure, i.e. 
if X £ F and X ic X' then X' G F. There is one operation A which chooses 
randomly with a given distribution a tuple of shares e Oi x • • • x 0,^ for a given 
secret € f2. By Aj : Q ^ Q,j we denote the restriction of the operation A to one 
player Pj determining its share. To obtain consistent shares all Aj , j G P refer 
to the same execution of the operation A. Assuming a probability distribution 
on O, the secret S and the shares Aj become random variables. A secret sharing 
scheme is called perfect if: 

1. Any set of qualified participants X & T can uniquely determine the secret 
S, i.e. H(S'|Aj : j e X) = . 
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2. None of the subsets X G V , X can get information about the secret 
5, i.e. y\{S\Kj ■.j€X)^H{S). 



When \'P\ = m and V = {B ^ V : \B\ > t} the secret sharing scheme is 
called a (t, m)— threshold scheme. 

3 A Model for Quantum Secret Sharing Schemes 

In this Section, we provide a formal definition of a secret sharing scheme based 
on quantum entropies. In a quantum secret sharing protocol, a dealer D wants 
to share a quantum state \X) with a set of players V according to a given access 
structure F c 2^. The access structure F is a family that lists all the subsets 
of players that can recover the quantum secret \X). 

In our model, the quantum secret \X) is chosen from a set of possible quan- 
tum secrets X = { IX2), . . . , The a priori probability that the 
secret \Xi) is chosen is pi. The quantum secret S can thus be represented by 
the quantum mixture: 

PS = +P2\X2){X2\ + ... +Pn\Xn){Xn\. 

We assume the states \Xi) to be pure states. The set of possible quantum shares 
given to a player P & P and any quantum state that he may possess are, for 
simplicity of notation, also denoted by P. Its density matrix is represented by 
PP- 

Each quantum secret is assumed to lie in a n-dimensional Hilbert space Hs- 
We will model the shares of the players by quantum systems. The Hilbert space 
in which the share of player i lives is denoted by Hi- If ^ is a subset of V, 
then we will denote the Hilbert space that describes the shares of players in A 
by Ha = ®aeAHa- Let us introduce a reference system R with Hilbert space 
Hr and a purification, denoted \SR) S Hs ®Hr: i.e., after tracing out R, one 
recovers ps [11]. A distribution of shares is given by a completely positive map 

Ab : S{Hs) ^ S{m ®...<S)Hm) (2) 

where S{Ha) represents the state space of the system A. Note that by the 
Stinespring dilation theorem we can always make Ad an isometry (as we shall 
henceforth assume to be the case), by adding a player Pm+i [H] (and trivially 
extending the access structure). We denote by \RPi...P„i) the state of the 
quantum system RPi...Pm after applying Ad to S (and the identity to R). We 
denote by A, both a given subset of players A = {Pi, . . . ,Pj} C V and the 
quantum shares which arc in the possession of those; respective players. The set 
of all the quantum shares which are distributed to the players in V is denoted 
byF. 

Definition 1 Let R be a reference system such that SR is in a pure state. A 
quantum secret sharing protocol realizing an access structure T is a complete 
positive map which generates quantum shares {Pi, . . . ,Pm} from a quantum 
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secret ps = pi\Xi){Xi\ + P2|-'^2) (-''^21 + • ■ • +p„|X„)(X„|, and distributes these 
shares among a set of players V , \ V \ = m such that: 

1. For all A we have that I{R : A) — I{R : S), or equivalently, as proved 
in [17], for A ^ T there exists a completely positive map Ta '■ Ti-A Ti-s 
such that 



2. For allA^r we have that I{R : A)=Q. 

The requirement 1 means that the entanglement between the reference state 
and the secret is preserved when it is recovered by authorized players {recover- 
ability requirement). Actually, we remark that the equality I{R : A) = I{R : S) 
is equivalent to saying that the coherent information Ig = S{A) — S{RA) equals 
the entropy of the secret 5(5*). In [17], it was proven that this condition is 
necessary and sufficient for quantum error correction. In our case, this means 
that an authorized group can reconstruct the secret exactly. Consequently, our 
requirement 1 implies a relation between quantum error correcting codes and 
quantum secret sharing schemes. More in particular, this moans that one can 
see the mapping followed by restricting to the systems A as a quantum noisy 
channel and the recovery process as quantum error correction. 

The requirement 2 means that unauthorized groups cannot recover any state 
which is correlated to R, and consequently with S {secrecy requirement). Note 
that monotonicity is also naturally embedded in this definition. We remind the 
reader that the second requirement means that the state of the system AR. is 
a product state, hence A and R are independent. Consequently, the relative 
entropy S(S'|A) is equal to 5{S). 

In the next Section we prove that, in contrast to classical schemes, the 
recoverability requirement implies the secrecy requirement in some quantum 
secret sharing schemes. 

Example 2 We briefly illustrate our definition for the case of the (2,3) thresh- 
old secret sharing scheme mentioned in [1]. For sake of clarity, we repeat the 
scheme here. The secret is an arbitrary three dimensional quantum state, i.e. 
ps = l/3X]^_o -^^^ encoding scheme that encodes the shares for the dif- 

ferent players is given by an isometry C/g : ^ (g) (g) mapping 



We note that the operator Us induces a completely positive map Kd on M.^. As 
S is a completely mixed state, its purification on C3 C3 ( entanglement with 



idfl «) Ta -.SiHR Ha) ^ S{n Hs) 
PRA ^ \RS) 



(3) 



[/s :a|0)+/3|l)+7|2) 



^ a(|000) + + |222)) 
+ /3(|012) + |120) + |201)) 
+ 7(|021) + |102) + |210)) 
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the reference system) looks as follows \B.S) = l/\/3X^i=o N) 1^)- '^^^ system 
RA (for A = V) can then be described as follows, 

\RA) = il®Us)\RS) 

= ^(|0000) + |0111) + |0222) + |1012) + |1120) 

+ |1201) + |2021) + |2102) + |2210)) 

It follows immediately that I{R : S) ~ 2 log 3. When we take A ~ 1,2. i.e. A 
is an authorized set, it readily follows from the previous equation that S{A) = 
2 log 3 and S{RA) = log 3. Hence, as I{R : A) = 2 log 3, the recoverability 
requirement is satisfied. If on the other hand A ^ 1, i.e A is not authorized, 
then it follows that the system RA is in the product state |l (8 |l. Hence the 
secrecy condition is satisfied. 

We note that the quantum entropy of the mixed state ps can be understood 
as the minimum number of qubits necessary to faithfully store the quantum 
secret (see [12]). The same applies for the quantum mixtures representing the 
quantum shares of the players. 

A fundamental issue when dealing with secret sharing schemes is the amount 
of data that must be given to the set of players. The smaller the amount of data 
given to the set of players the better. This issue becomes even more important 
when dealing with quantum secret sharing. As quantum data is expensive and 
hard to deal with, it would be desirable to use as little quantum data as possible 
in order to share an unknown quantum state. Therefore, the analysis of the size 
of shares in quantum secret sharing schemes is an important research subject 
[18]. Based on the model introduced earlier and on classical equivalents [8], we 
define two important quantities related to the size of the shares in a quantum 
secret sharing scheme. 

Definition 3 The quantum information rate of a secret sharing scheme which 

shares a quantum secret state S with a set of players V realizing an access 
structure T is given by the following expression: r = maxxg^SC^) ' 

The average quantum information rate of a secret sharing scheme which 
shares a quantum secret state S with a set of players V realizing an access 
structure T is given by the following expression: f — ^^^'^^l^l . 

We shall demonstrate how quantum information theoretical tools can be 
used to prove lower bounds on the size of the quantum shares in a quantum 
secret sharing scheme. 

4 Relation between the Recoverability and Se- 
crecy Requirement 

In this section, we prove that the recoverability requirement as stated in the 
last section, implies the secrecy requirement for some quantum secret sharing 



7 



schemes. This resuh means that, for some access structures, if an authorized set 
of players is able to recover a quantum secret at all, the unauthorized players 
have no information about the secret. This is a consequence of the no-cloning 
theorem and stands in sharp contrast with classical secret sharing schemes. 

We first introduce the notion of coexistence. We say that a set of shares 
A coexists with a secret S if there exists a completely positive map T from 
A' = V \ A to the system S such that the secret S can be recovered. More 
precisely, this is given by a completely positive map T such that 

idfl ® T : I — >\RS). (4) 

In the following proposition (which was first observed by Gottesman [4]), we 
prove that if a quantum state A can coexist with the quantum secret S, then A 
should have no correlation with S, that is A cannot be used to recover S. 

Proposition 4 Given a quantum secret ps = pi\Xi){Xi \ +P2\X2){X2 \ + . . . + 
Pn\Xn){Xn\ and a reference system R such that RS is in a pure state. If A can 
coexist with the quantum secret S, then I{R : A) = 0, i.e. RA is in a product 
state. 

Proof. From the strong subadditivity property of quantum entropies, it follows 
that 

I {A : R) < I {A : SR). 

On the other hand we have 

I{A : SR) = S{A) + 5{SR) - 5{SRA) 

< S{A) + S{RS) - S{A) + S{RS). 

The last inequality follows from the Araki-Lieb inequality. Since RS is in a pure 
state it follows that: S{RS) = 0, and hence that I{A : R) < 0. Since the mutual 
quantum information is non-negative the proposition follows. 

■ 

Theorem 5 For quantum secret sharing schemes where unauthorized sets of 
players are the complement of authorized sets the recoverability requirement im- 
plies the secrecy requirement. 

Proof. In quantum secret sharing schemes where unauthorized sets of players 
are the complement of authorized sets, all the quantum states in possession of 
unauthorized sets of players coexist with the secret, since it can be recovered 
by the authorized players. Therefore, from Proposition 4, we know that there is 
no correlation between the quantum states of unauthorized sets of players and 
the secret. 
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5 A Lower Bound on the Size of the Shares 



In this section we give a proof that the size of the shares in a quantum secret 
sharing scheme must be as large as the size of the secret itself. This theorem 
was first proved in [4] . However, our proof is based on quantum entropies and 
it is simpler than the original one: it follows from the subadditivity property of 
quantum entropies [10] [11]. 

Theorem 6 In any quantum secret sharing scheme realizing an access structure 
r for any subsets of players A and B such that A,B^T but AU B gT it holds 
that S{A) > S{S) where S is the secret being shared. 

Proof. Prom the fact that Au B gT and Def. 1 we have that 

S{AB) - S{RAB) = S{R). 

Applying the Araki-Lieb inequality to S{RAB), we get 

S{AB) - S{RA) + S{B) > S{R). 

Since I{A : i?) = 0, it follows that S{RA) = S{A)+S{R), and this together with 
the last inequality gives us: 

S{AB) - SiA) + SiB) > 2S(i?). 
Using the subadditivity property and the fact that S{R) = S{S), it follows that 

S{B) > S{S) 

which proves the theorem. 

■ 

Prom Definition 3 and Theorem 6, Corollary 7 follows: 

Corollary 7 The quantum information rate and the average quantum informa- 
tion rate of a secret sharing scheme are lower bounded by 1 . 

■ 

Another concept closely related to quantum secret sharing is the quantum 
Vernam cipher, introduced by Leung in [19]. In a quantum Vernam cipher, a 
sender, Alice, wants to send a quantum state to a recipient, Bob, such that an 
eavesdropper, Eve, when intercepting this secret quantum state has no way to 
get any knowledge on it. To perform so, they share in advance entangled states 
and use it as a quantum key. So, in a quantum Vernam cipher, the key and 
the message are quantum states. Actually, the quantum Vernam cipher is an 
implementation of a quantum secret sharing scheme. If Alice's part of the key 
is represented by the quantum system A, Bob's by the quantum system B, the 
encrypted message is represented by the quantum system M , and the quantum 
cleartext resides in the secret system S, the quantum Vernam cipher can be 
described by the following access structure F = {{A,M),{B,M)}. Therefore, 
the following corollary holds. 
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Corollary 8 In a quantum Vernam cipher the size of the key is as large as the 
size of the message to be transmitted. 

■ 

We remark that although the dimension of the quantum keys in a quantum 
Vernam cipher is as large as the dimension of the quantum message, the quantum 
scheme presents an advantage over its classical counterpart: the quantum keys 
can be recycled [19]. 

6 Conclusions 

We introduced a quantum information theoretical model for quantum secret 
sharing schemes. This model provided new insights into the theory of quantum 
secret sharing. We proved that the rccovcrability requirement implies the se- 
crecy requirement for a class of quantum secret sharing schemes by giving an 
information theoretical argument for Gottcsman's result that the complement of 
an authorized set is unauthorized. Also, we gave a shorter proof of his theorem 
that the size of the shares in a quantum secret sharing scheme must be as large 
as the secret itself. Additionally, we proved that the size of a key in a quantum 
Vernam cipher must be as large as the message itself. 

It is an interesting open problem to prove better lower bounds on the infor- 
mation rate for specific access structures different from threshold schemes. 

After this work was concluded, we were informed that the lower bound on 
the size of shares of quantum secret sharing schemes has been proved in [20] by 
using different methods. 
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